受众URI验证失败.受众群体不匹配 [英] Audience URI validation failed. Audience does not match
问题描述
我们要验证使用office.js Office.context.mailbox.getUserIdentityTokenAsync((result)获得的JWT令牌.我们已经实现了自己的JwtSecurityTokenHandler来获取用户的唯一ID并将其作为声明添加到要求.因此我们可以授权用户使用我们的所有功能.
但是我们无法验证JWT令牌.它抛出以下invalidAudienceURi异常.但是,当我们解码令牌时,用于生成令牌的URI随查询字符串动态生成.此查询字符串是由office.js动态注入的.
例外:
Microsoft.Exchange.WebServices.Auth.Validation.InvalidTokenAudienceException was unhandled by user code
HResult=-2146233088
Message=Audience URI validation failed. Audience does not match.
Source=Microsoft.Exchange.WebServices.Auth
StackTrace:
at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.ProcessToken(Uri extensionServiceHost, String key) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 220
at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.Validate(Uri extensionServiceHost, String catchedKey) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 185
at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.Validate(Uri extensionServiceHost) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 155
at UatWork.Web.CustomTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) in C:\Users\vinay\Source\Workspaces\UatWork-O365\Development\UatWork\src\UatWork.Web\Startup.cs:line 176
at Microsoft.AspNet.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
图片:异常和自定义处理程序
解决方案1尝试过:我们试图覆盖ValidateAudience方法.但是在运行时,此方法ID永远不会执行. 解决方案2尝试过:我们尝试将AudienceValidator添加为jwttoken处理程序的选项.不幸的是,这也没有被调用.
有人可以告诉我如何从这里开始吗?
谢谢, Vinay TC
如果我正确理解了这个问题(也许我听不懂),听起来你是在说payload.aud
属性正在更改每个请求? /p>
现在,这是我对验证所使用的hostUri
的了解:
如果提供的hostUri
与清单XML中定义的<SourceLocation>
元素的第一个实例不匹配,则token.Validate()调用将失败.
原始格式的token
字符串是由.
分隔的三个base64编码对象.
- 标题-JSON对象字符串
- 有效负载-JSON对象字符串
- 签名-在交换服务器上使用X509证书对标头和有效负载部分进行散列.
如果您不知道hostUri
应该是什么,请检查原始的token
字符串,解码有效负载部分(您可能需要通过添加=
字符将其填充为mod 4长度).
检查有效负载JSON对象,您将看到一个名为aud
的属性. aud
的值是您应该为hostUri
使用的Uri.
因此,如果您可以捕获原始令牌,则可以使用以下JavaScript来获取所需的hostUri:
var rawTokenString = "..."; //insert actual raw token string!
var rawPayload = rawTokenString.split('.')[1];
while(rawPayload.length % 4 !=0) {
rawPayload+='=';
}
var payload = JSON.parse(atob(rawPayload));
console.info(payload.aud);
希望能奏效...
We want to validate the JWT token acquired using office.js Office.context.mailbox.getUserIdentityTokenAsync((result). We have implemented our own JwtSecurityTokenHandler for us to get the unique ID of the user and add it as claim to the request. So we could authorize the user in all our functions.
But we are not able to authenticate the JWT token. It is throwing the following invalidAudienceURi exception. But when we decoded the token the URI which is used to generate the token is getting generated dynamically with et query string. This et query string is injected dynamically by office.js.
Exception:
Microsoft.Exchange.WebServices.Auth.Validation.InvalidTokenAudienceException was unhandled by user code
HResult=-2146233088
Message=Audience URI validation failed. Audience does not match.
Source=Microsoft.Exchange.WebServices.Auth
StackTrace:
at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.ProcessToken(Uri extensionServiceHost, String key) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 220
at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.Validate(Uri extensionServiceHost, String catchedKey) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 185
at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.Validate(Uri extensionServiceHost) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 155
at UatWork.Web.CustomTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) in C:\Users\vinay\Source\Workspaces\UatWork-O365\Development\UatWork\src\UatWork.Web\Startup.cs:line 176
at Microsoft.AspNet.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
Image: exception and custom handler
Solution 1 Tried: We tried to override ValidateAudience method. But at runtime this method id never getting executed. Solution 2 Tried: We tried to add AudienceValidator as options for the jwttoken handler. Unfortunately this is also not been called.
Can anyone tell me on how to go about from here?
Thanks, Vinay TC
If I understand the problem correctly (and maybe I don't), it sounds like you're saying the payload.aud
property is changing each request?
For now, here's what I know of the hostUri
used by the validation:
If the provided hostUri
does not match the first instance of a <SourceLocation>
element as defined in your manifest XML, the token.Validate() call will fail.
The token
string in raw form is three base64 encoded objectsseparated by .
s.
- Header - JSON object string
- Payload - JSON object string
- Signature - hash of the header and payload sections using X509 cert on the exchange server.
If you do not know what your hostUri
should be, inspect the raw token
string, decode the Payload section (you may need to pad it out to mod 4 length by appending =
chars).
Inspecting the payload JSON object, you will see a property named aud
. The value of aud
is the Uri you should be using for hostUri
.
So, if you can capture the raw token, you could use the following JavaScript to get the required hostUri:
var rawTokenString = "..."; //insert actual raw token string!
var rawPayload = rawTokenString.split('.')[1];
while(rawPayload.length % 4 !=0) {
rawPayload+='=';
}
var payload = JSON.parse(atob(rawPayload));
console.info(payload.aud);
Hopefully that works...
这篇关于受众URI验证失败.受众群体不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!